Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,842

Total Advisories

1,806

With Dependabot PRs

3,510

Critical Severity

8,633

High Severity

Clear All Filters
Directus inserts access token from query string into logs
GHSA-vw58-ph65-6rxp CVE-2024-47822 MODERATE 8 months ago
### Summary Access token from query string is not redacted and is potentially exposed in system logs which may be persisted. ### Details The acces...
npm
No PRs yet
Vite has an `server.fs.deny` bypass with an invalid `request-target`
GHSA-356w-63v5-8wf4 CVE-2025-32395 MODERATE 8 months ago
### Summary The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. ### Impact Only apps with ...
npm
4
Dependabot PRs
25%
Merged
Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function
GHSA-x2rg-q646-7m2v CVE-2025-32379 MODERATE 8 months ago
### Summary In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript co...
npm
No PRs yet
crud-query-parser SQL Injection vulnerability
GHSA-9r25-rp3p-h2w4 CVE-2025-32020 HIGH 8 months ago
### Impact Improper neutralization of the `order`/`sort` parameter in the TypeORM adapter, which allows SQL injection. You are impacted by this v...
npm
No PRs yet
Flowise Vulnerable to SQL Injection via `tableName` Parameter
GHSA-gjx9-wg9x-7gvp CVE-2025-29189 HIGH 8 months ago
Flowise <= 2.2.3 is vulnerable to SQL Injection. via tableName parameter at Postgres_VectorStores.
npm
No PRs yet
ts-asn1-der has Incorrect DER Encoding of Numbers Leading to Denial of Service and Incorrect Value Representation
GHSA-p4qw-7j9g-5h53 CVE-2025-32029 MODERATE 8 months ago
### Impact Incorrect `number` DER encoding can lead to denial on service for absolute values in the range `2**31` -- `2**32 - 1`. The arithmetic i...
npm
No PRs yet
estree-util-value-to-estree allows prototype pollution in generated ESTree
GHSA-f7f6-9jq7-3rqj CVE-2025-32014 MODERATE 8 months ago
### Impact When generating an ESTree from a value with a property named `__proto__`, `valueToEstree` would generate an object that specifies a prot...
npm
No PRs yet
Apollo Gateway Query Planner Vulnerable to Excessive Resource Consumption via Optimization Bypass
GHSA-p2q6-pwh5-m6jr CVE-2025-32031 HIGH 8 months ago
# Impact ## Summary A vulnerability in Apollo Gateway allowed queries with deeply nested and reused named fragments to be prohibitively expensive...
npm
47
Dependabot PRs
50%
Merged
Apollo Gateway Query Planner Vulnerable to Excessive Resource Consumption via Named Fragment Expansion
GHSA-q2f9-x4p4-7xmh CVE-2025-32030 HIGH 8 months ago
# Impact ## Summary A vulnerability in Apollo Gateway allowed queries with deeply nested and reused named fragments to be prohibitively expensive...
npm
46
Dependabot PRs
50%
Merged
FlowiseDB vulnerable to SQL Injection by authenticated users
GHSA-9c4c-g95m-c8cp MODERATE 8 months ago
### Summary import functions are vulnerable. * [importChatflows](https://github.com/FlowiseAI/Flowise/blob/main/packages/server/src/services/chatfl...
npm
No PRs yet
js-object-utilities Vulnerable to Prototype Pollution
GHSA-hpqf-m68j-2pfx CVE-2025-28269 HIGH 8 months ago
**Vulnerability type:** Prototype Pollution **Affected Package:** * Product: js-object-utilities * Version: 2.2.0 **Remedy:** Update package to ...
npm
2
Dependabot PRs
tarteaucitron.js allows url scheme injection via unfiltered inputs
GHSA-p5g4-v748-6fh8 CVE-2025-31476 MODERATE 8 months ago
A vulnerability was identified in `tarteaucitron.js`, allowing a user with high privileges (access to the site's source code or a CMS plugin) to en...
npm
No PRs yet
tarteaucitron.js allows prototype pollution via custom text injection
GHSA-4hwx-xcc5-2hfc CVE-2025-31475 MODERATE 8 months ago
A vulnerability was identified in `tarteaucitron.js`, where the `addOrUpdate` function, used for applying custom texts, did not properly validate i...
npm
No PRs yet
tarteaucitron.js allows UI manipulation via unrestricted CSS injection
GHSA-7524-3396-fqv3 CVE-2025-31138 MODERATE 8 months ago
A vulnerability was identified in `tarteaucitron.js`, where user-controlled inputs for element dimensions (`width` and `height`) were not properly ...
npm
No PRs yet
Vite allows server.fs.deny to be bypassed with .svg or relative paths
GHSA-xcj6-pq6g-qj4x CVE-2025-31486 MODERATE 8 months ago
### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the ...
npm
2
Dependabot PRs
generator-jhipster-entity-audit vulnerable to Unsafe Reflection when having Javers selected as Entity Audit Framework
GHSA-7rmp-3g9f-cvq8 CVE-2025-31119 HIGH 8 months ago
### Summary CWE-470 (Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') when having Javers selected as Entity Audit...
npm
No PRs yet
expand-object Vulnerable to Prototype Pollution via the expand() Function
GHSA-4vjr-hfpp-2m7w CVE-2025-3197 MODERATE 8 months ago
Versions of the package expand-object from 0.0.0 to 0.4.2 are vulnerable to Prototype Pollution in the expand() function in index.js. This function...
npm
No PRs yet
React Draft Wysiwyg Cross-Site Scripting (XSS) via the Embedded Button
GHSA-fq5x-7292-2p5r CVE-2025-3191 LOW 8 months ago
All versions of the package react-draft-wysiwyg are vulnerable to Cross-site Scripting (XSS) via the Embedded button which will then result in savi...
npm
No PRs yet
bigint-buffer Vulnerable to Buffer Overflow via toBigIntLE() Function
GHSA-3gc7-fjrx-p6mg CVE-2025-3194 HIGH 8 months ago
Versions of the package bigint-buffer from 0.0.0 to 1.1.5 are vulnerable to Buffer Overflow in the toBigIntLE() function. Attackers can exploit thi...
npm
No PRs yet
Improper Scope Validation in the `open` Endpoint of `tauri-plugin-shell`
GHSA-c9pr-q8gx-3mgp CVE-2025-31477 CRITICAL 8 months ago
### Impact The Tauri [`shell`](https://tauri.app/plugin/shell/) plugin exposes functionality to execute code and open programs on the system. The...
cargo npm
No PRs yet
Next.js may leak x-middleware-subrequest-id to external hosts
GHSA-223j-4rm8-mrmf CVE-2025-30218 LOW 8 months ago
## Summary In the process of remediating [CVE-2025-29927](https://github.com/advisories/GHSA-f82v-jwr5-mffw), we looked at other possible exploits ...
npm
No PRs yet
image-size Denial of Service via Infinite Loop during Image Processing
GHSA-m5qc-5hw7-8vg7 HIGH 8 months ago
### Summary `image-size` is vulnerable to a Denial of Service vulnerability when processing specially crafted images. The issue occurs because of...
npm
No PRs yet
Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers
GHSA-4q56-crqp-v477 CVE-2025-31137 HIGH 8 months ago
### Impact We received a report about a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Expres...
npm
No PRs yet
@alizeait/unflatto Prototype Pollution
GHSA-q8jq-4rm5-4hm5 CVE-2024-38988 HIGH 8 months ago
### Impact alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/index.js. This vulne...
npm
No PRs yet
aws-cdk-lib has Insertion of Sensitive Information into Log File vulnerability when using Cognito UserPoolClient Construct
GHSA-qq4x-c6h6-rfxh MODERATE 8 months ago
### Summary The [AWS Cloud Development Kit (CDK)](https://aws.amazon.com/cdk/) is an open-source framework for defining cloud infrastructure using ...
npm
6
Dependabot PRs
gifplayer XSS vulnerability
GHSA-gr7w-hmch-25g7 CVE-2025-31128 MODERATE 8 months ago
### Impact XSS vulnerability. All versions under 0.3.7 are impacted ### Patches Please upgrade to 0.3.7
npm
No PRs yet
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
GHSA-4r4m-qw57-chr8 CVE-2025-31125 MODERATE 8 months ago
### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the n...
npm
2
Dependabot PRs
Uptime Kuma's Regular Expression in pushdeeer and whapi file Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
GHSA-hx7h-9vf7-5xhg CVE-2025-26042 MODERATE 8 months ago
### Summary There is a `ReDoS vulnerability risk` in the system, specifically when administrators create `notification` through the web service(`pu...
npm
No PRs yet
Redoc Prototype Pollution via `Module.mergeObjects` Component
GHSA-9rhg-254w-fh9x CVE-2024-57083 HIGH 8 months ago
A prototype pollution in the component Module.mergeObjects (redoc/bundles/redoc.lib.js:2) of redoc <= 2.2.0 allows attackers to cause a Denial of S...
npm
No PRs yet
depath and cool-path vulnerable to Prototype Pollution via `set()` Method
GHSA-4h4x-4m75-47j4 CVE-2024-38985 HIGH 8 months ago
janryWang products depath v1.0.6 and cool-path v1.1.2 were discovered to contain a prototype pollution via the set() method at setIn (lib/index.js:...
npm
No PRs yet
tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File
GHSA-pq67-2wwv-3xjx CVE-2024-12905 HIGH 8 months ago
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"...
npm
5
Dependabot PRs
Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]
GHSA-963h-3v39-3pqf CVE-2025-27793 MODERATE 8 months ago
## Impact Users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library is used with ...
npm
No PRs yet
Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter
GHSA-rcw3-wmx7-cphr CVE-2025-26619 MODERATE 8 months ago
### Impact In `vega` 5.30.0 and lower, `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression ...
npm
No PRs yet
Directus's webhook trigger flows can leak sensitive data
GHSA-fm3h-p9wm-h74h CVE-2025-30353 HIGH 8 months ago
### Describe the Bug In Directus, when a **Flow** with the "_Webhook_" trigger and the "_Data of Last Operation_" response body encounters a Vali...
npm
No PRs yet
Directus `search` query parameter allows enumeration of non permitted fields
GHSA-7wq3-jr35-275c CVE-2025-30352 MODERATE 8 months ago
### Summary The `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to v...
npm
No PRs yet
Suspended Directus user can continue to use session token to access API
GHSA-56p6-qw3c-fq2g CVE-2025-30351 LOW 8 months ago
### Summary Since the user status is not checked when verifying a session token a suspended user can use the token generated in session auth mode t...
npm
No PRs yet
Directus's S3 assets become unavailable after a burst of HEAD requests
GHSA-rv78-qqrq-73m5 CVE-2025-30350 MODERATE 8 months ago
### Summary There's some tools that use Directus to sync content and assets. Some of those tools use HEAD method, like Shopify, to check the existe...
npm
No PRs yet
Directus's S3 assets become unavailable after a burst of malformed transformations
GHSA-j8xj-7jff-46mx CVE-2025-30225 MODERATE 8 months ago
### Summary When making many malformed transformation requests at once, at some point, all assets are being served as 403. ### Details When I was ...
npm
No PRs yet
Shescape has potential environment variable exposure on Windows with CMD
GHSA-66pp-5p9w-q87j CVE-2025-30222 LOW 8 months ago
### Impact This impact users of Shescape on Windows that explicitly configure `shell: 'cmd.exe'` or `shell: true` using any of `quote`/`quoteAll`/...
npm
No PRs yet
@mozilla/readability Denial of Service through Regex
GHSA-3p6v-hrg8-8qj7 CVE-2025-2792 LOW 8 months ago
Specially crafted titles may have caused a regular expression to excessively backtrack and cause a local denial of service. Additional Details are...
npm
No PRs yet
Vite bypasses server.fs.deny when using ?raw??
GHSA-x574-m823-4x7w CVE-2025-30208 MODERATE 8 months ago
### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the ne...
npm
2
Dependabot PRs
AWS CDK CodePipeline: trusted entities are too broad
GHSA-5pq3-h73f-66hr LOW 8 months ago
### Summary The [AWS Cloud Development Kit (CDK)](https://aws.amazon.com/cdk/) is an open-source framework for defining cloud infrastructure using...
npm
No PRs yet
GetmeUK ContentTools Cross-Site Scripting (XSS)
GHSA-4f2v-2gpq-qhjg CVE-2025-2699 MODERATE 8 months ago
A vulnerability was found in GetmeUK ContentTools up to 1.6.16. It has been rated as problematic. Affected by this issue is some unknown functional...
npm
No PRs yet
nossrf Server-Side Request Forgery (SSRF)
GHSA-vm77-mr48-27wj CVE-2025-2691 HIGH 8 months ago
Versions of the package nossrf before 1.0.4 are vulnerable to Server-Side Request Forgery (SSRF), where an attacker can provide a hostname that res...
npm
No PRs yet
AWS CDK CLI prints AWS credentials retrieved by custom credential plugins
GHSA-v63m-x9r9-8gqp CVE-2025-2598 MODERATE 9 months ago
## Summary The AWS Cloud Development Kit (AWS CDK) [1] is an open-source software development framework for defining cloud infrastructure in code ...
npm
No PRs yet
Parse Server has an OAuth login vulnerability
GHSA-837q-jhwx-cmpv CVE-2025-30168 MODERATE 9 months ago
### Impact The 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers t...
npm
7
Dependabot PRs
Authorization Bypass in Next.js Middleware
GHSA-f82v-jwr5-mffw CVE-2025-29927 CRITICAL 9 months ago
# Impact It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. # Patches * ...
npm
1975
Dependabot PRs
8%
Merged
Open WebUI Unauthenticated Multipart Boundary Denial of Service (DoS) Vulnerability
GHSA-5ccf-884p-4jjq HIGH 9 months ago
A Denial of Service (DoS) vulnerability exists in open-webui/open-webui version 0.3.21. This vulnerability affects multiple endpoints, including `/...
npm pypi
No PRs yet
Open WebUI Uncontrolled Resource Consumption vulnerability
GHSA-g3mx-83mp-3rwc CVE-2024-12534 HIGH 9 months ago
In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during the sign...
npm pypi
No PRs yet
Open WebUI Uncontrolled Resource Consumption vulnerability
GHSA-chf7-q7m5-fq92 CVE-2024-12537 HIGH 9 months ago
In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the `api/v1/util...
npm pypi
No PRs yet